search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.11k stars 427 forks source link

Enroll secret printed in cleartext on error #16621

Closed getvictor closed 8 months ago

getvictor commented 9 months ago

Fleet version: <!-- Copy this from the "My account" page in the Fleet UI, or run fleetctl --version --> 4.44 Web browser and operating system:

💥  Actual behavior

When creating a new team with fleetctl apply OR API and specifying a secret that is already in the DB, the secret comes back in plaintext, like:

Error: applying teams: POST /api/latest/fleet/spec/teams received status 409 Validation Failed: Error 1062 (23000): Duplicate entry '/ubD+AZJL/dTqDCABDCEFhLU+zwmI0PR' for key 'PRIMARY'

This is a security issue. For example, if a customer uses GitHub action for configuring Fleet, anyone with access to workflow logs will see the secret.

🧑‍💻  Steps to reproduce

  1. Get a team spec with fleetctl get teams --yaml
  2. Change the team name and apply it with fleetctl apply

For example, apply the same secret to two teams:

---
apiVersion: v1
kind: enroll_secret
spec:
  secrets:
    - secret: MY_SECRET
      team_id: 4
    - secret: MY_SECRET
      team_id: 5

🕯️ More info (optional)

N/A

🛠️ To fix

  1. Improve the error message so it is clear that the enroll secret is already used.
  2. Obfuscate the secret
xpkoala commented 9 months ago

Lookin' good. Resource Already Exists: secret "********" already exists

fleet-release commented 8 months ago

Security cocooned, No secrets whispered in text, Trust in code renewed.